Meta

Category: Azure Active Directory

Microsoft recently released a new version of the PowerShell module for administering Azure Active Directory to General Availability.

The previous module used MSOL (Microsoft Online) cmdlets to perform tasks (i.e. Get-MSOLUser). The new cmdlets use the AzureAD cmdlets (i.e. Get-AzureADUser) which leverage the Graph API.

Because of this, you’ll want to make sure you download the latest version of the modules and update your existing scripts accordingly.

Assigning Office 365 licenses with these new cmdlets can be a bit tricky and confusing at first. So, I’ll try to explain the process step-by-step so you gain an understanding of what’s going on.

Understanding licenses in Office 365:

Each license in Office 365 has an associated SkuID and SkuPartNumber and a list of one or more associated ServicePlans.

For instance, the E3 license has a SkuID of 6fd2c87f-b296-42f0-b197-1e91e994b900, a SkuPartNumber of ‘ENTERPRISEPACK’, and is comprised of the following Service Plans:

Service plan

Description

SWAY

Sway

INTUNE_O365

Mobile Device Management for Office 365

YAMMER_ENTERPRISE

Yammer

RMS_S_ENTERPRISE

Azure Rights Management (RMS)

OFFICESUBSCRIPTION

Office Professional Plus

MCOSTANDARD

Skype for Business Online

SHAREPOINTWAC

Office Online

SHAREPOINTENTERPRISE

SharePoint Online

EXCHANGE_S_ENTERPRISE

Exchange Online Plan 2

You can get a listing of the friendlier Descriptions for each of the SkuPartNumbers from TechNet here.

When you assign an E3 license to an individual user, you can choose to exclude one or more Service Plans so they don’t get access to those services.

Assigning Licenses in PowerShell

Each Office 365 tenant has a unique TenantID that looks similar to the SkuID or any other GUID. In our example below, the TenantID is 85b5ff1e-0402-400c-9e3c-0f9e965325d1.

To get a list of the SkuIDs you are subscribed to in your Office 365 tenant, connect to Azure AD using the Connect-AzureAD cmdlet. Then, run:

C:\> Get-AzureADSubscribedSku

You’ll get returned a list of ObjectIDs, SkuPartNumbers, PrepaidUnits and ConsumedUnits, showing how many licenses from each Sku have already been assigned (see example below from the online documentation for Get-AzureADSubscribedSku). The ObjectID is made up of the TenantID, an underscore, and the SkuID for each subscription you have purchased:

If we also wanted to assign, for instance, EMS licenses to the user in addition to the E3 license, we’d repeat the process above and create a second AssignedLicense object and add it to the AddLicenses property of $AssingedLicenses. I’ve done this below for brevity:

Now that we’ve got an object that contains a list of all the licenses and excluded service plans, we’re ready to actually assign these licenses to your user(s). To assign the license, simply run the Set-AzureADUserLicense cmdliet, providing the $AssignedLicenses variable:

​This is great news for new and existing users of Azure Active Directory Authentication including Office 365, InTune, CRM Online, etc.

This feature simulates Single Sign-On by copying the hash data for user passwords from on-premises Active Directory Domain Services Domain Controllers into the Azure Active Directory Authentication Service. It also updates password data into Azure more frequently than it does other metadata such as DisplayName, etc. DirSync will detect when a user changes their password and attempt to synchronize it within minutes.

If you’re running the legacy 32-bit version of DirSync, you must first uninstall the older version, and then install the newer 64-bit version on a differen computer.